Solved

How to secure folders on IIS/ASP.NET?

Posted on 2011-09-07
11
306 Views
Last Modified: 2012-05-12
Hello,
I have ASP.net web application and I'm using forms based authentication and role based authorization using web.config.

Now I need to use role based authorization to limit access to subfolders. I know i can do it by placing  modified web.config in subfolders
BUT
in this subfolders are .html or .jpg or .gif files. I need to limit access to those files.

How can I do it?

Best Regards
Fooky
0
Comment
Question by:f_o_o_k_y
  • 7
  • 3
11 Comments
 
LVL 25

Expert Comment

by:Rouchie
ID: 36501139
I believe this is done is IIS.  There's a solution here but not sure if its overkill.  I'm afraid I can't remember how I did this it was a long time ago...  http://forums.asp.net/t/1434944.aspx/1
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 36501142
Pasted from above:
1.    Open the IIS manager console.
2.    Under the Sites node, right click the web site or the folder which contains the file you want to protect.
3.    In the Features View group by “Area”, under the “IIS” Section, click “Handler Mappings”
4.    In the “Actions” frame, on the right side of the console, click “Add Managed Handler…”
5.    In the prompted Dialog, fill the text boxes, and Request Path: *; Type: System.Web.DefaultHttpHandler; Name: AuthFile.
6.    Click ok, and restart IIS 7.0.
0
 
LVL 4

Expert Comment

by:vaibhavjaiman
ID: 36501379
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 11

Author Comment

by:f_o_o_k_y
ID: 36501586
Hi,
I did: ID:36501142Author:Rouchie

and now i have error like this:
 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.PlatformNotSupportedException: The DefaultHttpHandler.BeginProcessRequest method is not supported by IIS integrated pipeline mode.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[PlatformNotSupportedException: The DefaultHttpHandler.BeginProcessRequest method is not supported by IIS integrated pipeline mode.]
   System.Web.DefaultHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback callback, Object state) +2877787
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8690594
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Open in new window


Best Regards
FooKy
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 36501665
Are you strictly using IIS7, or 6 as well on a dev/live server?
0
 
LVL 25

Accepted Solution

by:
Rouchie earned 500 total points
ID: 36501715
IF you're only using IIS7, remove the addition added before, then following the steps here:
http://weblogs.asp.net/hosamkamel/archive/2008/12/15/secure-file-download-area-using-iis-6-0-and-iis-7-0.aspx


For IIS 7.0 (Integrated Pipeline mode):

The default configuration for all managed modules shipped with IIS 7.0, including the Forms Authentication and URL Authorization modules, uses a precondition so that these modules only apply to content that an  (ASP.NET) handler manages. This is done for backwards compatibility reasons. (as mentioned in For IIS 6.0 section)

By removing the precondition, we make the desired managed module execute for all requests to the application, regardless of content. This is necessary in order to protect our static files, and any other application content with Forms-based authentication.

To do this, open the application's web.config file located in the %systemdrive%\inetpub\wwwroot directory, and paste the following lines immediately below the first <configuration> element:

<system.webServer>
<modules>
    <remove name="FormsAuthenticationModule" />    
   <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />    
    <remove name="UrlAuthorization" />    
    <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />    
    <remove name="DefaultAuthentication" />    
    <add name="DefaultAuthentication" type="System.Web.Security.DefaultAuthenticationModule" />    
</modules>
</system.webServer> 

Open in new window

0
 
LVL 11

Author Comment

by:f_o_o_k_y
ID: 36904074
Hi,
Sorry for delay in response.

I've tried to use this, and I can limit access to authenticated users only but I cannot get it to work with roles

So if I have
<allow roles="test1">
<deny users="*">

I can access test.apsx (of course after authentication ) and i can display in this file all roles i belong to
but if i try access test.html then i'm always redirected to login.apsx

it seams that when I'm accessing html files I do not have information about roles ?

any help would appreciated

Best regards
Fooky
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 36909235
If you specify the page explicitly it should certainly work:

	<location path="/enter/your/path/to/test.html">
		<system.web>
			<authorization>
				<deny users="?"/>
				<allow roles="test1"/>
			</authorization>
		</system.web>
	</location>

Open in new window

0
 
LVL 25

Expert Comment

by:Rouchie
ID: 36909240
Don't forget the rules you specify in web.config are inherited, so rules you put before/after this will affect what ASP.NET does.  Later rules take precedence over earlier rules, so try putting the above code last in web.config to ensure it gets treated with the highest priority.
0
 
LVL 25

Expert Comment

by:Rouchie
ID: 36909250
0
 
LVL 11

Author Closing Comment

by:f_o_o_k_y
ID: 37005044
Sorry for delay in closing
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Jquery datatables integration with ASP.NET MVC, bootstrap 3 23
Convert Select to DropDownListFor MVC 5 2 31
PCI Scan on IIS Remediation not working 1 44
IIS FTP Logging 10 39
What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question